mahara-packaging team mailing list archive

Thread
Date

[Bug 888358] Re: Several security updates for Mahara

To: mahara-packaging@xxxxxxxxxxxxxxxxxxx
From: Dave Walker <davewalker@xxxxxxxxxx>
Date: Thu, 10 Nov 2011 09:40:09 -0000
Reply-to: Bug 888358 <888358@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thanks for reporting this bug and attaching a series of debdiffs.  As
these are security uploads, they need to be sponsored by the security
team.

The patches look great.  Whilst reviewing, I did notice a couple of trivial things:
- debian/control: The Maintainer field update wouldn't normally be appropriate for a stable release update
- debian/changelog: 
   - It is convention to wrap at 80 chars.
   - No LP: #888358, which will close these bugs.
   - The CVE numbers should be quoted on a standalone line.
   - "How the bad guys can win" is described, but a high level comment /how/ it is resolved isn't documented.
- debian/patches/*.patch: Great to see use of DEP-5 headers, although it's not clear to me if these patches are actually applied upstream or just submitted (useful to know when they can be dropped).

For an example of changelog formatting for security uploads, please see the template on:
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

Thanks.

-- 
You received this bug notification because you are a member of Mahara
Packaging, which is subscribed to mahara in Ubuntu.
https://bugs.launchpad.net/bugs/888358

Title:
  Several security updates for Mahara

Status in “mahara” package in Ubuntu:
  New

Bug description:
  Here are patches to fix a number of very serious security issues in
  lucid, maverick, natty and oneiric versions of Mahara.

  Issues affecting both 1.2.x and 1.4.0 are:

    * XSS in unvalidated URI attributes
      - CVE-2011-2771
      - Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4135
   
    * DoS attack via invalid or excessively large images
      - CVE-2011-2772
      - Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4133
   
    *  XSRF allowing attackers to trick an admin into adding them to an institution
      - CVE-2011-2773
      - Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4137
   
    *  Prevent masquerading users from jumping via XMLRPC as others
      - CVE pending from oss-sec list via debian security list
      - Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4138

  One issue affects the 1.4.0 version of Mahara in Oneiric:

     * Information disclosure exposing private messages
       - CVE-2011-2774
       - Upstream advisory: http://mahara.org/interaction/forum/topic.php?id=4134

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mahara/+bug/888358/+subscriptions